Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:sched/core: Fix use-after-free bug in dup_user_cpus_ptr()Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to berestricted on asymmetric systems"), the setting and clearing ofuser_cpus_ptr are done under pi_lock for arm64 architecture. However,dup_user_cpus_ptr() accesses user_cpus_ptr without any lockprotection. Since sched_setaffinity() can be invoked from anotherprocess, the process being modified may be undergoing fork() atthe same time. When racing with the clearing of user_cpus_ptr in__set_cpus_allowed_ptr_locked(), it can lead to user-after-free andpossibly double-free in arm64 kernel.Commit 8f9ea86fdf99 ("sched: Always preserve the user requestedcpumask") fixes this problem as user_cpus_ptr, once set, will neverbe cleared in a task's lifetime. However, this bug was re-introducedin commit 851a723e45d1 ("sched: Always clear user_cpus_ptr indo_set_cpus_allowed()") which allows the clearing of user_cpus_ptr indo_set_cpus_allowed(). This time, it will affect all arches.Fix this bug by always clearing the user_cpus_ptr of the newlycloned/forked task before the copying process starts and check theuser_cpus_ptr state of the source task under pi_lock.Note to stable, this patch won't be applicable to stable releases.Just copy the new dup_user_cpus_ptr() function over.
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds